Perhaps no city cares about the privacy of its residents as much as Oakland.
Last year, the California city became one of just a handful around the country that have banned municipal use of facial recognition technology. That came on top of an earlier ordinance that put limits on surveillance technology.
Those laws were largely the handiwork of Oakland’s Privacy Advisory Commission, a citizen-led board that can review any and all city policies and regulations through a privacy lens. Other cities have privacy policies or staff in place, while a few have ad hoc groups to address particular issues, such as smart city policies. No other city has a standing group with such a broad charter.
“We know the activities that are going on in the city of Oakland,” says Tracy Rosenberg, advocacy director for Oakland Privacy, a nonprofit watchdog group. “Oakland is considering buying some drones. I’m not happy about it, but I know about it, I can weigh in on it, and there’s a body looking at the issues. It’s not like we’re going to find out just by looking up when they’re already flying over our heads.”
In 2020, data privacy bills are being debated in numerous states — many modeled on a California law that took effect this year. Meanwhile, the tech industry is lobbying Congress to put a national standard in place. The European Union already has stricter data protection policies in place than the U.S.
While privacy can seem like an issue that’s national or even international in scope, issues such as surveillance often play out at the local level, particularly in law enforcement.
“There is a really important role for local institutions,” says Chris Calabrese, vice president for policy at the Center for Democracy and Technology, a civil liberties group based in Washington. “That is, figuring out how their localities are using surveillance technologies. It’s actually not unusual for a state or a town to get a grant from DHS [Department of Homeland Security] to get a drone or surveillance without any discussion by the city council.”
How the Commission Started
That’s exactly what happened in Oakland. The city had received DHS funding for a Domain Awareness Center (DAC), which collected and analyzed surveillance data from throughout the city. It began as a security project at the port and airport, but crept out to encompass the entire city, collecting information from 700 cameras in public housing and schools, outdoor gun detection microphones, license plate readers and other sensors.
News about the DAC broke thanks to someone with a temp job in the city’s technology office. If that sounds like Oakland had its own version of Edward Snowden, the National Security Agency contractor who made international news with revelations of mass data collection at the federal level — well, the Oakland story happened to break just after Snowden himself burst on the scene.
“They have the great fortune of hitting the public safety agenda in the middle of June 2013, which was two weeks after somebody named Edward Snowden hit the front pages of newspapers,” says Brian Hofer, who chairs the Oakland Privacy Advisory Commission.
Realizing that the issues Snowden had brought to the fore were playing out right in their own hometown had a galvanizing effect in Oakland. City officials were already highly familiar with the large aggregation of activist groups who call Oakland home. Many of those groups were already on high alert. At the time, the Occupy movement was still fresh. The city had also been rocked by the killing of Oscar Grant by a transit officer, which formed the basis of the 2013 movie Fruitvale, and anticipated the complaints about police violence that would erupt in 2014 in Ferguson, Mo.
“There was just all this activist energy in Oakland at that exact time,” Hofer recalls, “and it was just like the match that lit the gasoline fire.”
At that time, Hofer had never before set foot in Oakland City Hall, but he became part of the coalition of opposition that grew in response to the Domain Awareness Center, which entailed not just lobbying but street protests. The city’s project ended up dying a slow death, becoming limited to the port, which pulled all its funding and staffing for it.
Activists then pushed for a standing body to deal with privacy matters so that such a project couldn’t sneak up on them again. “These kinds of technological projects, smart city projects in some form or another keep coming and you can’t always mobilize the entire city to react,” Rosenberg says. “We were lucky, but in the future it might be harder.”
After a long struggle, the city council narrowly agreed in 2016 to create the standing commission. Hofer now consults formally and informally with other cities that are looking to put policies in place safeguards as concerns about the potential dark sides of technology use garners more attention. Through monthly conference calls, he trades ideas with municipal privacy professionals in several cities.
“I’m still flying around to conferences where the Domain Awareness Center is still the case study, and that was from 2014,” Hofer says. “It’s still the shot heard ‘round the world — like you can actually say ‘no’ to the surveillance state, and also come up with a reasonable solution that still addresses public safety concerns.”
The ban on facial recognition and limits on surveillance have attracted most of the attention, but the commission has also worked on a broad range of policies, clarifying general data usage rules and reviewing agreements with outside agencies such as DHS, ATF and the FBI.
Each member of the city council appoints a commissioner. That has sometimes made recruitment a challenge, since members have to come from within relatively small districts. The commission has nevertheless attracted people with a range of backgrounds, including civil rights attorneys, a retired police officer and the occasional technology company employee. In drafting some policies, the commission has relied on outside expertise from entities such as the University of California, Berkeley and the American Civil Liberties Union.
The commission constantly encounters pushback, both from technology companies who warn that constraints will hamper innovation and from city staff who worry about increased paperwork or other administrative burdens. Hofer does his best to address such concerns, arguing that an insistence on transparency and an airing of issues does not mean projects will fail to move forward.
He feels that his most convincing argument comes from building consensus, both within the commission and among city staff. Since the commission started four years ago, it’s seen a grand total of one “no” vote and three abstentions. Every other position has been taken unanimously.
“I’ve always said that I’m going to resign as chair if there’s ever a 5-4 vote that I have to send to the council,” Hofer says. “We’re an advisory body, we’re supposed to be subject matter experts, and if I send a 5-4 vote up, that means we didn’t do our job.”
Broadening the Scope
The commmission is now working on an umbrella set of privacy principles that will govern all kinds of non-law-enforcement activities, such as business licensing and tax collection. He’s concerned, given the ever-evolving technological landscape, that information collected innocuously at first could eventually be used in ways that put people in harm’s way.
That’s certainly been a theme with various uses of technology. License plate readers were initially brought in for parking enforcement, but the data they collect is then stored and used for broader surveillance. The same with smart streetlights, which may first be seen as just a way to cut the electricity bill, but can be equipped with surveillance cameras and sensors. Oakland's commission can ask vendors who come in promising labor and cost savings for the city about the potential privacy issues raised by their products and services.
Four years after its founding, the Oakland privacy commission remains unique in allowing citizens to help draw the lines when it comes to the full range of privacy concerns. In many cities, privacy remains under the purview of government officials themselves, which may or may not provide a forum for hearing citizens’ concerns. There can also be turf protection, with police commissions, for example, insisting that they should handle any privacy issues that might arise.
The list of technologies that will affect privacy at the local level, from biometrics to doorbell cameras, will only continue to grow. Governments tend to be reactive, but it might be time for cities and counties to try to get out in front.
“Our argument is it’s really a lot easier if you do it on the front end and set up a system for what you can see coming,” Rosenberg says. “If you’re not actively doing something to be on top of it, you’re going to throw up your hands, let everything come through and be dealing with privacy and usage concerns on the back end.”